deps: bump golang.org/x/net to v0.54.0 to fix CVE-2026-27141#4481
Merged
Conversation
andrewlecuyer
approved these changes
May 13, 2026
govulncheck reports DoS vulnerabilities in golang.org/x/net/http2 (http2.Transport.RoundTrip, NewClientConn, unencryptedTransport.RoundTrip, noDialH2RoundTripper.RoundTrip) that are reached via Kubernetes' discovery client. The fix is in x/net v0.51.0+ for CVE-2026-27141 and later versions for follow-on HTTP/2 hardening (e.g. CVE-2026-33814 fixes). Bumping x/net to v0.54.0 (the latest release as of Apr 2026) also pulls in the matching versions of the other golang.org/x/* dependencies it relies on (crypto, mod, sync, sys, term, text, tools). All are minor bumps within the x/ family and contain no API breakage. Rebased on top of CrunchyData#4479 (Kubernetes 0.36.0 / controller-runtime 0.24.0). Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
force-pushed
the
ci/bump-x-net-cve
branch
from
f82c6ec to
4967baa
Compare
…troller-runtime 0.24 The kubernetes group bump to 0.36.0 (CrunchyData#4479) introduced a new v1.PersistentVolumeClaimConditionType ("Unused") that triggers the exhaustive linter on the PVC condition switch in volumes.go. Add it to the existing no-op case alongside the other condition types that have no bearing on volume resizing. The bump also surfaced two staticcheck SA1019 deprecation warnings that block CI on every PR until addressed: - controller-runtime 0.24 deprecated scheme.Builder (used by both v1 and v1beta1 groupversion_info.go). Migrating to the new helper requires restructuring our api packages, so suppress the warning for now and leave a TODO via the comment. - k8s.io/apimachinery 0.36 deprecated direct access to managed.FieldsV1.Raw in favor of GetRawBytes/SetRawBytes. Only apply_test.go uses the old field; suppress until the test is rewritten against the new helpers. These exclusions are scoped narrowly via path patterns so other call sites (if any) still get flagged. Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 13, 2026
…OTel Now that the x/net CVE fix (CrunchyData#4481) and the k8s 0.36.0 / controller-runtime 0.24.0 jump (CrunchyData#4479) are on main, this finishes the planned upgrade pass with patch bumps and the Go toolchain bump: * Go 1.26.0 -> 1.26.3 (go directive only; e2e CI still installs Go 1.25.x for kuttl/chainsaw which depend on testDeps.ModulePath at the older toolchain). * k8s.io/api, apimachinery, client-go 0.36.0 -> 0.36.1 * sigs.k8s.io/controller-runtime 0.24.0 -> 0.24.1 * go.opentelemetry.io/otel{,/sdk,/trace,/metric,/log,/sdk/log,/sdk/metric} 1.42.0 -> 1.43.0 (and matching otlp/* exporters; stdout* and log* sub- modules to v0.19.0 / v1.43.0 / v0.65.0 as appropriate). * go.opentelemetry.io/contrib/{exporters/autoexport,instrumentation/net/http/ otelhttp,propagators/autoprop,bridges/prometheus,propagators/{aws,b3, jaeger,ot}} 0.67.0/1.42.0 -> 0.68.0/1.43.0. These are all patch / minor bumps within their respective stable lines. 'go mod tidy', 'go build ./...', 'go vet ./...', 'make generate', and 'golangci-lint run' all pass cleanly with no source changes required. Supersedes the Dependabot PRs CrunchyData#4475, CrunchyData#4477, CrunchyData#4478 and the older snapshot of CrunchyData#4483. Signed-off-by: ValClarkson <valerie.clarkson@crunchydata.com>
ValClarkson
added a commit
that referenced
this pull request
May 13, 2026
…OTel Now that the x/net CVE fix (#4481) and the k8s 0.36.0 / controller-runtime 0.24.0 jump (#4479) are on main, this finishes the planned upgrade pass with patch bumps and the Go toolchain bump: * Go 1.26.0 -> 1.26.3 (go directive only; e2e CI still installs Go 1.25.x for kuttl/chainsaw which depend on testDeps.ModulePath at the older toolchain). * k8s.io/api, apimachinery, client-go 0.36.0 -> 0.36.1 * sigs.k8s.io/controller-runtime 0.24.0 -> 0.24.1 * go.opentelemetry.io/otel{,/sdk,/trace,/metric,/log,/sdk/log,/sdk/metric} 1.42.0 -> 1.43.0 (and matching otlp/* exporters; stdout* and log* sub- modules to v0.19.0 / v1.43.0 / v0.65.0 as appropriate). * go.opentelemetry.io/contrib/{exporters/autoexport,instrumentation/net/http/ otelhttp,propagators/autoprop,bridges/prometheus,propagators/{aws,b3, jaeger,ot}} 0.67.0/1.42.0 -> 0.68.0/1.43.0. These are all patch / minor bumps within their respective stable lines. 'go mod tidy', 'go build ./...', 'go vet ./...', 'make generate', and 'golangci-lint run' all pass cleanly with no source changes required. Supersedes the Dependabot PRs #4475, #4477, #4478 and the older snapshot of #4483. Signed-off-by: ValClarkson <valerie.clarkson@crunchydata.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
govulncheck reports DoS vulnerabilities in golang.org/x/net/http2 (http2.Transport.RoundTrip, NewClientConn, unencryptedTransport.RoundTrip, noDialH2RoundTripper.RoundTrip) that are reached via Kubernetes' discovery client. The fix is in x/net v0.51.0+ for CVE-2026-27141 and later versions for follow-on HTTP/2 hardening (e.g. CVE-2026-33814 fixes). Bumping x/net to v0.54.0 (the latest release as of Apr 2026) also pulls in the matching versions of the other golang.org/x/* dependencies it relies on (crypto, mod, sync, sys, term, text, tools). All are minor bumps within the x/ family and contain no API breakage.
Checklist:
Type of Changes:
What is the current behavior (link to any open issues here)?
What is the new behavior (if this is a feature change)?
Other Information: